Achieve data privacy readiness (GDPR or NDPR)

Step-by-step

1. 1 In the sidebar, open 'Posture Management' then 'Compliance' and click 'New Initiative'.
2. 2 Select the GDPR or NDPR framework, or build it with 'Create custom framework' covering lawful basis, data subject rights, breach response, and processor management.
3. 3 Assign an accountable owner (often the data protection lead) and a business sponsor on the Delegate step, then submit.
4. 4 Assess the controls and provide evidence for each on the 'Artefacts' tab.
5. 5 Connect your tools under 'Account' then 'Integrations' to automate this: their security and compliance checks run as automated control assessments, and supporting evidence and snapshots are collected automatically via the integrations.
6. 6 Open 'Posture Management' then 'Data Security' and use the 'Data Inventory', 'Data Retention', and 'Issues' tabs as supporting evidence for the regulation.
7. 7 Run a Data Privacy Impact Assessment for your high-risk processing: launch the 'Data Privacy Impact Assessment' workflow and work its six steps (Scope, Data, Impact, Safeguards, Governance, Review).
8. 8 On 'Scope' and 'Data', name the program and select the applicable regulations, legal basis, and jurisdictions, then build the inventory: personal data categories and sensitivity, processing activities (Article 30 records with purpose, legal basis, and retention), data subjects, and cross-border transfers with their transfer mechanism.
9. 9 On 'Impact', complete the DPIA trigger assessment (two or more triggers mandate a full DPIA) and rate each privacy risk dimension for likelihood and severity.
10. 10 On 'Safeguards', select your Privacy by Design measures (Article 25), map the compliance controls, and confirm the data subject rights mechanisms; on 'Governance', assign the DPO and set the approval workflow, breach notification window, prior consultation, and records of processing status.
11. 11 On 'Review', check the DPIA Readiness score and the summary, then click 'Submit DPIA' to record the assessment.
12. 12 Record your processors and cross-border arrangements, and publish the relevant ones in the Trust Center where you share them externally.
13. 13 Close open gaps with remediation or exceptions, and track readiness in 'Report' then 'Trust Intelligence'.